美好的一天,我是 kubernetes 的新手,并尝试设置我的第一个环境。我想遵循方案:
- 我的组织有公共 IP (xxxx)
192.168.0.10
此 IP使用 win 服务器 + IIS路由到专用 LAN(即)中的服务器。在 IIS 上,我有 URL 重写模块,它充当反向代理- 我有 Kubernetes 集群
- 我有一些服务部署到 k8s
- 我想使用 SSL 从 Internet 访问此服务,从 let's encrypt 获得
我已经设置了 k8s 集群,部署了 traefik ( v1.7
) 入口并配置它们以进行加密(设置http->https
重定向,设置 acme 挑战)。这工作正常 - 我可以从 LAN 或 WAN 观察它,并且没有关于证书的警告 - 我看到绿色锁。现在我部署服务(在我的例子中是 graylog)。再次 - 我可以从 LAN 和 WAN 观察它,但在这种情况下,我看到有关证书的警告(它是由 颁发的TRAEFIK_DEFAULT_CERT
)。看到这个后,我尝试搜索更多信息,发现我需要 cert-manager。我部署了 cert-manager,创建了让我们加密颁发者(具有 ClusterIssuer 角色),但随后我尝试颁发证书我收到以下错误(在挑战描述中找到):
Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
我的 traefik 配置图:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "mymail@example.xyz"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "my-public-domain.com"
我也尝试在那里使用通配符:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "mymail@example.xyz"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "*.my-public-domain.com"
sans = ["my-public-domain.com"]
我的集群发行者:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-dev
spec:
acme:
email: mymail@example.xyz
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: traefik
还有我的测试证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
renewBefore: 360h # 15d
commonName: logger.my-public-domain.com
dnsNames:
- logger.my-public-domain.com
issuerRef:
name: letsencrypt-dev
kind: ClusterIssuer
我有通配符域的 DNS 条目并且可以 ping 它
我的证书卡在状态OrderCreated
:
Status:
Conditions:
Last Transition Time: 2019-10-08T09:40:30Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 47m cert-manager Created Order resource "example-com-3213698372"
订单卡在状态Created
:
Status:
Challenges:
Authz URL: <url>
Dns Name: logger.my-public-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-dev
Key: <key>
Solver:
http01:
Ingress:
Class: traefik
Token: <token>
Type: http-01
URL: <url>
Wildcard: false
Finalize URL: <url>
State: pending
URL: <url>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 48m cert-manager Created Challenge resource "example-com-3213698372-0" for domain "logger.my-public-domain.com"
最后,通过挑战:
Spec:
Authz URL: <url>
Dns Name: logger.my-public-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-dev
Key: <key>
Solver:
http01:
Ingress:
Class: traefik
Token: <token>
Type: http-01
URL: <url>
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 55m cert-manager Challenge scheduled for processing
Normal Presented 55m cert-manager Presented challenge using http-01 challenge mechanism
我看到有 404 响应,但我不明白它的原因。在我的 IIS 上,我有以下重写规则:让我们加密绕过 - 所有匹配的 url 都.well-known/*
重写到 kubernetes 主机。http 到 https - 所有不匹配的 url 让我们加密重定向到 https 子域重定向 - 所有子域请求都重写到 kubernetes。
在我的局域网中,我有自己的 DNS 服务器,所有域my-public-domain.com
都有映射到内部地址,所以我可以将公共主机名重定向logger.my-public-domain.com (x.x.x.x)
到 internal logger.my-public-domain.com (192.168.0.y)
。
在挑战活动期间,我在 traefik 仪表板中看到了新的后端和前端。
也许我误解了它应该如何工作,但我希望 cert-manager 使用 let's encrypt 颁发证书,我可以观察我的服务。